bruteforcesysent
bruteforcesysent copied to clipboard
gdbinit
/dev/kmem bad address
I try to run bruteforcesysent on OSX 10.10.5 in VMware fusion 8. I have enabled both bootargs sudo nvram boot-args="kmem=1" and
<plist version="1.0">
<dict>
<key>Kernel Flags</key>
<string>kmem=1</string>
</dict>
</plist>
in /Library/Preferences/SystemConfiguration/com.apple.Boot.plist. When I do a ls -l /dev/*mem I get crw-r----- 1 root kmem 3, 1 Nov 3 12:04 /dev/kmem. When I run bruteforcesysent, it returns a -1 upon trying to open /dev/kmem.
When I do a sudo cat /dev/kmem, it returns cat: /dev/kmem: Bad address.
Any clue whether bruteforcesysent should be using a different offset for rw access to /dev/kmem or that something else is happening?
No idea, I haven't used kmem in a while so I have no idea about its status in 10.10.5. Either the system logs have something about the error or kmem has some access control.
Was there any resolution to this? Having the same issue on the same version.
Okay, i so ive done some digging and realised that regardless of whether you give root privileges you cannot open /dev/kmem without chmod to provide users with the read ability. I tested this using readonly with open and it allowed to me read kmem however i dont think it is actually possible to write to kmem at all. So all that needs to be changed is open("/dev/kem", O_RDWR) to open("dev/kmem", O_RDONLY).
For now this seems to enable me to actually open kmem however i havent tested it in bruteforcesysent yet. Will test now and post results.
yep. That seems to solve the issue.
Please change line 127 to read if((fd_kmem = open("/dev/kmem",O_RDONLY)) == -1)
Hummm this is not interesting because I use kmem to write to kernel memory. Demands a deeper understanding to see if Apple removed write capabilities from kmem.
OK. I thought this tool's main purpose was to retrieve the _sysent address, which it can again with this fix.